CERT, Vulnerability affecting multiple VPN Apps

AFFECTED

  • Cisco
  • F5 Networks, Inc.
  • Palo Alto Networks Pulse Secure

Not Affected

  • Check Point Software Technologies
  • pfSense

At this time, all other vendor’s status is UNKNOWN

If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.

The CERT Coordination Center (CERT/CC) has released information on a vulnerability affecting multiple Virtual Private Network (VPN) applications. An attacker could exploit this vulnerability to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review CERT/CC’s Vulnerability Note VU#192371 for more information and refer to vendors for appropriate updates, when available.

Multiple VPN applications insecurely store session cookies
Vulnerability Note VU#192371
Original Release Date: 2019-04-11 | Last Revised: 2019-04-11
Overview

Multiple Virtual Private Network (VPN) applications store the authentication and/or session cookies insecurely in memory and/or log files.

Description:

Virtual Private Networks (VPNs) are used to create a secure connection with another network over the internet. Multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files.

CWE-311: Missing Encryption of Sensitive Data
The following products and versions store the cookie insecurely in log files:

The following products and versions store the cookie insecurely in memory:

  • Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
  • Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
  • Cisco AnyConnect 4.7.x and prior

It is likely that this configuration is generic to additional VPN applications. If you believe that your organization is vulnerable, please contact CERT/CC at [email protected].org with the affected products, version numbers, patch information, and self-assigned CVE.

Impact

If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.

Solution

Apply an update
Palo Alto Networks GlobalProtect version 4.1.1 patches this vulnerability.

CERT/CC is unaware of any patches at the time of publishing for Cisco AnyConnect and Pulse Secure Connect Secure.


Cisco

Notified: January 31, 2019 Updated: March 20, 2019
Status

F5 Networks, Inc.

Notified: January 31, 2019 Updated: April 11, 2019
Status

F5 has been aware of the insecure memory storage since 2013 and has not yet been patched. More information can be found here https://support.f5.com/csp/article/K14969.

They have been aware of the insecure log storage since 2017 and fixed it in version 12.1.3 and 13.1.0 and onwards. More information can be found here https://support.f5.com/csp/article/K45432295

Palo Alto Networks

Notified: January 31, 2019 Updated: April 11, 2019
Status

Update to GlobalProtect Agent 4.1.1 and later for Windows, and GlobalProtect Agent 4.1.11 and later for macOS.

Vendor References

https://securityadvisories.paloaltonetworks.com/Home/Detail/146
Pulse Secure

Notified: January 31, 2019 Updated: March 20, 2019
Status

Affected
Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

References

https://securityadvisories.paloaltonetworks.com/Home/Detail/146
https://vuldb.com/?id.133258
https://cwe.mitre.org/data/definitions/311.html

Share: